SlideShare a Scribd company logo

SSO and fine grained authorization in the cloud

Download as ODP, PDF
O
Oliver Wulff

The document discusses single sign-on (SSO) and fine-grained authorization in cloud applications. It covers authentication and authorization challenges, how standards like WS-Federation address these challenges, and how Apache CXF Fediz implements WS-Federation. Specifically, Fediz provides an identity provider (IDP), security token service (STS) and plugin to enable SSO and claims-based authorization in web apps running in different containers.

1 of 35
SSO and fine grained authorization in the cloud Oliver Wulff
Brief introduction ● Solution Architect ● Web Services (Axis, CXF, …) ● Security (WS-*, Kerberos, Web SSO, …) ● Corba ● Java / C# / C++ ● Apache CXF PMC member ● Talend Community Coder (coders.talend.com) ● http://owulff.blogspot.com ● owulff@apache.org
Agenda ● Authentication & Authorization in Web Applications ● Apache CXF Fediz ● Fediz and STS Use cases ● Relying Party IDP ● Fediz Roadmap
Authentication & Authorization in Web Applications
Application Security 10 years ago ● SSO solution using Reverse Proxy ● Proprietary SSO token / protocol ● Same product at Reverse Proxy, Application Server andcentral Security Service ● Security tokens validated by remote Security Server ● Role Based Access Control (Java, .NET API) ● User/ID management internal
Security Challenges ● Non IT company – Buy vs build (non IT company) – Applications hosted in the cloud ● SaaS for IT companies ● Integrate several IDM systems (B2B customers) ● Access to user information – Network connectivity – Replicating user information ● Reduce Security Code in the Application
Gaps ● Fine grained authorization (beyond RBAC) in application logic ● Tight coupling to custom security components and protocols (central server, reverse proxy, proxy agent) ● Tight coupling to single user domain ● Lack of agility and risk due to managing B2B users internally ● Different authentication mechanism in the application (container) ● Integration with Web Services Stack ● Mock testing
How to address that? ● Indirect Trust Relationship to Security Server ● Push user data to the application instead of pulling it ● Externalize Authentication to a Central server ● Lightweight Open Source component ● Industry standard based solution
WS-Federation ● OASIS Standard 2009 ● Security Token agnostic (SAML 1.1/2.0, …) ● Extends WS-Trust ● Browser and Web Services SSO ● PRP adapts Browser to WS-Trust ● No connectivity between Application and IDP required (Cloud) ● Claims/Attribute Based Access Control ● Supports several Authentication domains
WS-Trust Security Token Service 1. Consumer requests token from STS, presenting credentials (RST = Request Security Token) 2. STS verifies credentials and issues signed token 3. STS sends token back to consumer (RSTR = Request Security Token Response) 4. Consumer encloses token in message to service provider (optionally signing message) 5. Service provider validates token (and signature) 6. Service provider sends response to consumer WS-SecurityPolicy brings flexibility and transparency to service consumer
Apache CXF Fediz
Apache CXF Fediz ● Sub-project of Apache CXF project ● Work started mid of 2011 ● Community growing ● First release in June 2012 ● Current release 1.0.2 ● Finishing work for 1.1
Apache CXF Fediz Id e n tity P r o v id e r (ID P ) S e c u r ity T o k e n S e r v ic e (S T S ) W S - F e d e r a tio n F e d iz ID P n tio S e c u r ity T o k e n s t ic a e n W S -T ru s t is s u e d b y S T S en Tok F e d iz S T S u th A  U s e r M a c h in e B ro w s e r R e ly in g P a r ty (R P ) A cc es s  W W e b A p p lic a tio n R eb ec ed A to ir p p ID t lic P at io n F e d iz P lu g in H TTP S S e r v le t C o n ta in e r
Apache CXF Fediz 2 ) S ig n In R e q u e s t 3 ) L o g in Id e n tity P r o v id e r W eb U ser ID P / S T S 4 ) P o s t C r e d e n tia ls 5 ) S ig n In R e s p o n s e S A M L to k e n B ro w s e r T r u s t r e la t io n s h ip S ig n e d T o k e n N o C a ll to S T S 7 ) R e s o u r c e , S e t C o o k ie R e ly in g P a r ty 6 ) P o s t S ig n In R e s p o n s e E x . T o m c a t, W e b s p h e re , A S P .N E T , e tc . 1 ) H T T P G E T re s o u rc e R e d ir e c t to I D P
Apache CXF STS ● WS-Trust 1.3/1.4 ● SAML token creation ● WS-SecurityPolicy 1.3 customizable ● RST Subject, Audience, authenticationUsername/Kerb AttributeStatements,… eros/SAML token ● Claims support ● Security Bindings: ● Support for realms/security Symmetric, Asymmetric, domains Transport ● Identity Mapping ● Supported bindings ● Claims transformation Issue, validate, cancel, renew ● Advanced RST ● Token provider elementsKeyType, Entropy, SAML 1.1/2.0 (HOK, Bearer), AppliesTo, Custom, SecondaryParameters, … Secure Conversation ● Intermediary ● Token encryption supportOnBehalfOf, ActAs ● Issue/validate supports ● Custom Claims dialects token transformation ● Batch processing (RSTC)
Fediz IDP / STS ● Username / password authentication ● User store (File, LDAP, JAAS) – File store – LDAPLoginModule – Other JAAS Login Module ● Claims/Role store (File, LDAP) – LdapClaimsHandler – FileClaimsHandler – custom ● SAML Token creation customizable ● Small footprint (Mock testing) ● Wiki http://cxf.apache.org/fediz-idp.html
Fediz Plugin ● WS-Federation 1.0/1.1/1.2 ● SAML 1.1 / 2.0 Tokens ● IDP trust types Chain Trust, Direct Trust ● Core Logic Container independent ● Supports Tomcat 7 ● WS-Federation Metadata publish ● Claims provided in FederationPrincipal ● Wiki http://cxf.apache.org/fediz-idp.html
Fediz Plugin Configuration Config element Description Metadata issuer Issuer URL PassiveRequestorEndpoint realm Realm TargetScope authenticationType Authentication Type NA roleURI Claim URI for roles NA roleDelimiter Role Value Delimiter NA claimTypesRequested Requested claims ClaimTypesRequested homeRealm Home Realm NA tokenValidators Security Token Validator NA signingKey Key for Metadata Metadata signature signature
Fediz Plugin Extensions (1/2) ● Customize Sign-In Request Configuration SignIn Request Callback object authenticationType wauth WAuthCallback homeRealm whr HomeRealmCallback freshness wfresh FreshnessCallback issuer N.A. IDPCallback ● Customize Security Token Validation
Fediz Plugin Extensions (2/2) ● Callback Handler implementation for Home Realm Discovery public class MyCallbackHandler implements CallbackHandler { public void handle(Callback[] callbacks) throws … { for (int i = 0; i < callbacks.length; i++) { if (callbacks[i] instanceof HomeRealmCallback) { HomeRealmCallback callback = (HomeRealmCallback) callbacks[i]; HttpServletRequest request = callback.getRequest(); String homeRealm = ... callback.setHomeRealm(homeRealm); } else { throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback"); } } } } ● Wiki http://cxf.apache.org/fediz-extensions.html
Fediz Interoperability Fediz IDP Adnovum IDP Microsoft ADFS Fediz Plugin ASP.NET ● Fediz STS based on Apache CXF STS ● Apache CXF STS integrated into Adnovum IDP
Fediz and STS Use cases
STS: Use case Web SSO Fediz example “simpleWebapp” https://localhost:8443/fedizhelloworld/secure/fedservlet
Standards ● WS-Federation 1.2 ● WS-Trust 1.3 ● SAML 2.0 ● OASIS Identity Metasystem CXF STS capabilities ● RST UsernameKerberos ● SAML 2.0 Bearer ● Claims from LDAP ● Claim data in AttributeStatement Federation plugin ● SAML token validation (WSS4J, OpenSAML) ● Creates security context
STS: Use case intermediary Fediz example “wsclientWebapp” https://localhost:8443/fedizhelloworld/secure/service.jsp
Standards ● WS-Trust 1.3 ● SAML 2.0 ● WS-SecurityPolicy CXF STS capabilities CXF capabilities ● RST SAML token [4,6] ● Issued token assertion(WS-SecurityPolicy) ● SAML 2.0 Bearer [6] ● SecondaryParameters ● Custom Token [4] ● OnBehalfOf (BinarySecurityToken) ● Token caching ● Token transformation [4,6] ● Identity Mapping[4] ● OnBehalfOf [4,6]
Relying Party IDP
More than one Requestor IDP ● WS-Federation defines Requestor and Relying Party IDP ● RP IDP issues SAML token for application in a requestor independent format ● Integrate Requestor IDPs without affecting application ● HomeRealm Discovery ● RP IDP federates Identities or Claims
Internal ID management Federate identites R e q u e s to r Id P ● CXF IdentityMapper R e q u e s to r Id P m y c o m p a n y .c o m ● Relationship: FederateIdentity APAC m y c o m p a n y .c o m EM EA R P - Id P H o m e r e a lm d is c o v e r y 3 Id P m y c o m p a n y .c o m 2 B ro w s e r In tr a n e t 1 R e ly in g P a r ty A p p lic a tio n C o n ta in e r Ex. Tom cat
Hyprid ID management R e q u e s to r Id P F a b r ik a m .c o m In te r n a l R e q u e s to r Id P m y c o m p a n y .c o m R e q u e s to r Id P APAC B ro w s e r m y c o m p a n y .c o m 3 f a b r ik a m .c o m EM EA R P -Id P 2 H o m e r e a lm d is c o v e r y 3 Id P m y c o m p a n y .c o m 2 B ro w s e r In tr a n e t 1 1 R e ly in g P a r ty A p p lic a tio n C o n ta in e r Ex. Tom cat Federate identities ● CXF IdentityMapper ● Relationship: FederateIdentity
External requestor IDPs (SaaS) R e q u e s to r Id P F a b r ik a m .c o m In te r n a l R e q u e s to r Id P m y c o m p a n y .c o m R e q u e s to r Id P APAC B ro w s e r m y c o m p a n y .c o m 3 f a b r ik a m .c o m EM EA R P -Id P 2 H o m e r e a lm d is c o v e r y 3 Id P m y c o m p a n y .c o m 2 B ro w s e r In tr a n e t 1 2 B ro w s e r a d a ta m .c o m 1 R e ly in g P a r ty 1 A p p lic a tio n 3 C o n ta in e r Ex. Tom cat R e q u e s to r Id P Federate claims/attributes a d a ta m .c o m ● CXF ClaimsMapper E x te rn a l ● Relationship: FederateClaims
Fediz Roadmap ● WS-Federation support for RP-IDP (1.1) ● HomeRealm Discovery (1.1) ● SAML Profile (1.1+) ● Support encrypted SAML tokens (1.1) ● SAML Holder-Of-Key (1.1) ● Fediz Plugin support – Karaf (1.1) – Jetty (1.1) – Spring Security (1.1)
More information ● Fediz website http://cxf.apache.org/fediz.html ● Blogs http://coheigea.blogspot.com http://www.dankulp.com/blog/ http://sberyozkin.blogspot.com http://owulff.blogspot.com
Content Slides ● Level 1 – Level 2 ● Level 3 – Level 4 ● Level 5
Standards ● WS-Trust 1.3 ● SAML 2.0 Id e n tity P r o v id e r ● WS-SecurityPolicy < < S o la r is > > Id e n tit y S to r e Id e n tity S to r e < < W in d o w s > > < < M a in f r a m e > > ID P < < N e v is > > CXF STS capabilities 2 .1 LDAP RACF STS 2 .2 RST SAML token [4,6] <<CXF>> ● ● SAML 2.0 Bearer [6] 4 .1 ● Custom Token [4] (BinarySecurityToken) B u s in e s s S e r v ic e 2 < < T o m c a t> > ● Token transformation [4,6] 4 / 6 Identity Mapping[4] A p p lic a t io n ● J A X -R P C ● OnBehalfOf [4,6] Not CXF W e b A p p lic a tio n < < T o m c a t> > T ) ( BS CXF capabilities B ro w s e r 5 3 A p p lic a tio n ● Issued token assertion(WS- 1 J A X -W S B u s in e s s S e r v ic e SecurityPolicy) F e d e r a t io n _ _ CXF < < O S G i K a ra f> > ● SecondaryParameters 7 (S T ) A p p lic a t io n ● OnBehalfOf J A X -W S ● Token caching CXF

Recommended

Ricardo Klatlovsky - Plugging In The Consumer: Results and Conclusions of the...
Ricardo Klatlovsky - Plugging In The Consumer: Results and Conclusions of the...Ricardo Klatlovsky - Plugging In The Consumer: Results and Conclusions of the...
Ricardo Klatlovsky - Plugging In The Consumer: Results and Conclusions of the...Shane Mitchell
 
New eraformulablueprint
New eraformulablueprintNew eraformulablueprint
New eraformulablueprintRudy Rich
 
XS Oracle 2009 Networking 10gig
XS Oracle 2009 Networking 10gigXS Oracle 2009 Networking 10gig
XS Oracle 2009 Networking 10gigThe Linux Foundation
 
Katakana 1
Katakana 1Katakana 1
Katakana 1jfordha6
 
Apache CXF - New Features
Apache CXF - New FeaturesApache CXF - New Features
Apache CXF - New FeaturesDaniel Kulp
 
Borderless Federated-Identity
Borderless Federated-IdentityBorderless Federated-Identity
Borderless Federated-IdentityWSO2
 
CIS14: Building Blocks for Mobile Authentication and Security
CIS14: Building Blocks for Mobile Authentication and SecurityCIS14: Building Blocks for Mobile Authentication and Security
CIS14: Building Blocks for Mobile Authentication and SecurityCloudIDSummit
 
Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_securityMarco Morana
 

Recommended

Ricardo Klatlovsky - Plugging In The Consumer: Results and Conclusions of the...
Ricardo Klatlovsky - Plugging In The Consumer: Results and Conclusions of the...Ricardo Klatlovsky - Plugging In The Consumer: Results and Conclusions of the...
Ricardo Klatlovsky - Plugging In The Consumer: Results and Conclusions of the...Shane Mitchell
 
New eraformulablueprint
New eraformulablueprintNew eraformulablueprint
New eraformulablueprintRudy Rich
 
XS Oracle 2009 Networking 10gig
XS Oracle 2009 Networking 10gigXS Oracle 2009 Networking 10gig
XS Oracle 2009 Networking 10gigThe Linux Foundation
 
Katakana 1
Katakana 1Katakana 1
Katakana 1jfordha6
 
Apache CXF - New Features
Apache CXF - New FeaturesApache CXF - New Features
Apache CXF - New FeaturesDaniel Kulp
 
Borderless Federated-Identity
Borderless Federated-IdentityBorderless Federated-Identity
Borderless Federated-IdentityWSO2
 
CIS14: Building Blocks for Mobile Authentication and Security
CIS14: Building Blocks for Mobile Authentication and SecurityCIS14: Building Blocks for Mobile Authentication and Security
CIS14: Building Blocks for Mobile Authentication and SecurityCloudIDSummit
 
Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_securityMarco Morana
 
learning interoperability from web2.0
learning interoperability from web2.0learning interoperability from web2.0
learning interoperability from web2.0Shoaib Burq
 
Social media & web analytics innovation procopio-2012-04
Social media & web analytics innovation procopio-2012-04Social media & web analytics innovation procopio-2012-04
Social media & web analytics innovation procopio-2012-04Michael Procopio
 
Actionable Metrics at Production Scale - LSPE Meetup June 27, 2012
Actionable Metrics at Production Scale - LSPE Meetup June 27, 2012Actionable Metrics at Production Scale - LSPE Meetup June 27, 2012
Actionable Metrics at Production Scale - LSPE Meetup June 27, 2012SOASTA
 
HP - 2martie2011
HP - 2martie2011HP - 2martie2011
HP - 2martie2011Agora Group
 
Green cities elevated tower tank tree
Green cities elevated tower tank treeGreen cities elevated tower tank tree
Green cities elevated tower tank treeBusiness Innovation Research Development
 
Analysing The Results Of A Card Sort
Analysing The Results Of A Card SortAnalysing The Results Of A Card Sort
Analysing The Results Of A Card SortJustine Sanderson
 
The FAA Enforcement Process (2008)
The FAA Enforcement Process (2008)The FAA Enforcement Process (2008)
The FAA Enforcement Process (2008)Mark Kolber
 
GlassFish ESB and OpenESB
GlassFish ESB and OpenESBGlassFish ESB and OpenESB
GlassFish ESB and OpenESBEduardo Pelegri-Llopart
 
Yes systems engineering, you are a discipline
Yes systems engineering, you are a disciplineYes systems engineering, you are a discipline
Yes systems engineering, you are a disciplineJoseph KAsser
 
Oracle data integrator in swedbank EDW - Rein Adamson ja Mart Tudre
Oracle data integrator in swedbank EDW - Rein Adamson ja Mart TudreOracle data integrator in swedbank EDW - Rein Adamson ja Mart Tudre
Oracle data integrator in swedbank EDW - Rein Adamson ja Mart TudreORACLE USER GROUP ESTONIA
 
LOD2 Plenary Vienna 2012: WP10 - Training, Dissemination, Community Building,...
LOD2 Plenary Vienna 2012: WP10 - Training, Dissemination, Community Building,...LOD2 Plenary Vienna 2012: WP10 - Training, Dissemination, Community Building,...
LOD2 Plenary Vienna 2012: WP10 - Training, Dissemination, Community Building,...LOD2 Creating Knowledge out of Interlinked Data
 
Steuben Heroes Calendar
Steuben Heroes CalendarSteuben Heroes Calendar
Steuben Heroes Calendarsmhansbarger
 
Hp dba v.6.2 technical slides
Hp dba v.6.2 technical slidesHp dba v.6.2 technical slides
Hp dba v.6.2 technical slidesaxentriacg
 
Usmp 8100 p-0
Usmp 8100 p-0Usmp 8100 p-0
Usmp 8100 p-0zia_7575
 
Enterprise Architecture for Dummies - TOGAF 9 enterprise architecture overview
Enterprise Architecture for Dummies - TOGAF 9 enterprise architecture overviewEnterprise Architecture for Dummies - TOGAF 9 enterprise architecture overview
Enterprise Architecture for Dummies - TOGAF 9 enterprise architecture overviewWinton Winton
 
Katalog trends 07_oyen_de_web
Katalog trends 07_oyen_de_webKatalog trends 07_oyen_de_web
Katalog trends 07_oyen_de_webJörg Oyen
 
2010 Q1 WSO2 Technical Update
2010 Q1 WSO2 Technical Update2010 Q1 WSO2 Technical Update
2010 Q1 WSO2 Technical UpdateWSO2
 
Press Release: North Main Stret Bridge project
Press Release: North Main Stret Bridge projectPress Release: North Main Stret Bridge project
Press Release: North Main Stret Bridge projectRochester Economic Development
 
Alison Fleming Michael Upton Collaborating for Success
Alison Fleming Michael Upton Collaborating for SuccessAlison Fleming Michael Upton Collaborating for Success
Alison Fleming Michael Upton Collaborating for SuccessFuture Perfect 2012
 
Carro y maleta de Herramientas - Suministrps Industriales
Carro y maleta de Herramientas - Suministrps IndustrialesCarro y maleta de Herramientas - Suministrps Industriales
Carro y maleta de Herramientas - Suministrps IndustrialesAUXITEC
 

More Related Content

Similar to SSO and fine grained authorization in the cloud

learning interoperability from web2.0
learning interoperability from web2.0learning interoperability from web2.0
learning interoperability from web2.0Shoaib Burq
 
Social media & web analytics innovation procopio-2012-04
Social media & web analytics innovation procopio-2012-04Social media & web analytics innovation procopio-2012-04
Social media & web analytics innovation procopio-2012-04Michael Procopio
 
Actionable Metrics at Production Scale - LSPE Meetup June 27, 2012
Actionable Metrics at Production Scale - LSPE Meetup June 27, 2012Actionable Metrics at Production Scale - LSPE Meetup June 27, 2012
Actionable Metrics at Production Scale - LSPE Meetup June 27, 2012SOASTA
 
HP - 2martie2011
HP - 2martie2011HP - 2martie2011
HP - 2martie2011Agora Group
 
Analysing The Results Of A Card Sort
Analysing The Results Of A Card SortAnalysing The Results Of A Card Sort
Analysing The Results Of A Card SortJustine Sanderson
 
The FAA Enforcement Process (2008)
The FAA Enforcement Process (2008)The FAA Enforcement Process (2008)
The FAA Enforcement Process (2008)Mark Kolber
 
Yes systems engineering, you are a discipline
Yes systems engineering, you are a disciplineYes systems engineering, you are a discipline
Yes systems engineering, you are a disciplineJoseph KAsser
 
Oracle data integrator in swedbank EDW - Rein Adamson ja Mart Tudre
Oracle data integrator in swedbank EDW - Rein Adamson ja Mart TudreOracle data integrator in swedbank EDW - Rein Adamson ja Mart Tudre
Oracle data integrator in swedbank EDW - Rein Adamson ja Mart TudreORACLE USER GROUP ESTONIA
 
Steuben Heroes Calendar
Steuben Heroes CalendarSteuben Heroes Calendar
Steuben Heroes Calendarsmhansbarger
 
Hp dba v.6.2 technical slides
Hp dba v.6.2 technical slidesHp dba v.6.2 technical slides
Hp dba v.6.2 technical slidesaxentriacg
 
Usmp 8100 p-0
Usmp 8100 p-0Usmp 8100 p-0
Usmp 8100 p-0zia_7575
 
Enterprise Architecture for Dummies - TOGAF 9 enterprise architecture overview
Enterprise Architecture for Dummies - TOGAF 9 enterprise architecture overviewEnterprise Architecture for Dummies - TOGAF 9 enterprise architecture overview
Enterprise Architecture for Dummies - TOGAF 9 enterprise architecture overviewWinton Winton
 
Katalog trends 07_oyen_de_web
Katalog trends 07_oyen_de_webKatalog trends 07_oyen_de_web
Katalog trends 07_oyen_de_webJörg Oyen
 
2010 Q1 WSO2 Technical Update
2010 Q1 WSO2 Technical Update2010 Q1 WSO2 Technical Update
2010 Q1 WSO2 Technical UpdateWSO2
 
Alison Fleming Michael Upton Collaborating for Success
Alison Fleming Michael Upton Collaborating for SuccessAlison Fleming Michael Upton Collaborating for Success
Alison Fleming Michael Upton Collaborating for SuccessFuture Perfect 2012
 
Carro y maleta de Herramientas - Suministrps Industriales
Carro y maleta de Herramientas - Suministrps IndustrialesCarro y maleta de Herramientas - Suministrps Industriales
Carro y maleta de Herramientas - Suministrps IndustrialesAUXITEC
 

Similar to SSO and fine grained authorization in the cloud (20)

learning interoperability from web2.0
learning interoperability from web2.0learning interoperability from web2.0
learning interoperability from web2.0
 
Social media & web analytics innovation procopio-2012-04
Social media & web analytics innovation procopio-2012-04Social media & web analytics innovation procopio-2012-04
Social media & web analytics innovation procopio-2012-04
 
Actionable Metrics at Production Scale - LSPE Meetup June 27, 2012
Actionable Metrics at Production Scale - LSPE Meetup June 27, 2012Actionable Metrics at Production Scale - LSPE Meetup June 27, 2012
Actionable Metrics at Production Scale - LSPE Meetup June 27, 2012
 
HP - 2martie2011
HP - 2martie2011HP - 2martie2011
HP - 2martie2011
 
Green cities elevated tower tank tree
Green cities elevated tower tank treeGreen cities elevated tower tank tree
Green cities elevated tower tank tree
 
Analysing The Results Of A Card Sort
Analysing The Results Of A Card SortAnalysing The Results Of A Card Sort
Analysing The Results Of A Card Sort
 
The FAA Enforcement Process (2008)
The FAA Enforcement Process (2008)The FAA Enforcement Process (2008)
The FAA Enforcement Process (2008)
 
GlassFish ESB and OpenESB
GlassFish ESB and OpenESBGlassFish ESB and OpenESB
GlassFish ESB and OpenESB
 
Yes systems engineering, you are a discipline
Yes systems engineering, you are a disciplineYes systems engineering, you are a discipline
Yes systems engineering, you are a discipline
 
Oracle data integrator in swedbank EDW - Rein Adamson ja Mart Tudre
Oracle data integrator in swedbank EDW - Rein Adamson ja Mart TudreOracle data integrator in swedbank EDW - Rein Adamson ja Mart Tudre
Oracle data integrator in swedbank EDW - Rein Adamson ja Mart Tudre
 
LOD2 Plenary Vienna 2012: WP10 - Training, Dissemination, Community Building,...
LOD2 Plenary Vienna 2012: WP10 - Training, Dissemination, Community Building,...LOD2 Plenary Vienna 2012: WP10 - Training, Dissemination, Community Building,...
LOD2 Plenary Vienna 2012: WP10 - Training, Dissemination, Community Building,...
 
Steuben Heroes Calendar
Steuben Heroes CalendarSteuben Heroes Calendar
Steuben Heroes Calendar
 
Hp dba v.6.2 technical slides
Hp dba v.6.2 technical slidesHp dba v.6.2 technical slides
Hp dba v.6.2 technical slides
 
Usmp 8100 p-0
Usmp 8100 p-0Usmp 8100 p-0
Usmp 8100 p-0
 
Enterprise Architecture for Dummies - TOGAF 9 enterprise architecture overview
Enterprise Architecture for Dummies - TOGAF 9 enterprise architecture overviewEnterprise Architecture for Dummies - TOGAF 9 enterprise architecture overview
Enterprise Architecture for Dummies - TOGAF 9 enterprise architecture overview
 
Katalog trends 07_oyen_de_web
Katalog trends 07_oyen_de_webKatalog trends 07_oyen_de_web
Katalog trends 07_oyen_de_web
 
2010 Q1 WSO2 Technical Update
2010 Q1 WSO2 Technical Update2010 Q1 WSO2 Technical Update
2010 Q1 WSO2 Technical Update
 
Press Release: North Main Stret Bridge project
Press Release: North Main Stret Bridge projectPress Release: North Main Stret Bridge project
Press Release: North Main Stret Bridge project
 
Alison Fleming Michael Upton Collaborating for Success
Alison Fleming Michael Upton Collaborating for SuccessAlison Fleming Michael Upton Collaborating for Success
Alison Fleming Michael Upton Collaborating for Success
 
Carro y maleta de Herramientas - Suministrps Industriales
Carro y maleta de Herramientas - Suministrps IndustrialesCarro y maleta de Herramientas - Suministrps Industriales
Carro y maleta de Herramientas - Suministrps Industriales
 

SSO and fine grained authorization in the cloud

  • 1. SSO and fine grained authorization in the cloud Oliver Wulff
  • 2. Brief introduction ● Solution Architect ● Web Services (Axis, CXF, …) ● Security (WS-*, Kerberos, Web SSO, …) ● Corba ● Java / C# / C++ ● Apache CXF PMC member ● Talend Community Coder (coders.talend.com) ● http://owulff.blogspot.com ● owulff@apache.org
  • 3. Agenda ● Authentication & Authorization in Web Applications ● Apache CXF Fediz ● Fediz and STS Use cases ● Relying Party IDP ● Fediz Roadmap
  • 4. Authentication & Authorization in Web Applications
  • 5. Application Security 10 years ago ● SSO solution using Reverse Proxy ● Proprietary SSO token / protocol ● Same product at Reverse Proxy, Application Server andcentral Security Service ● Security tokens validated by remote Security Server ● Role Based Access Control (Java, .NET API) ● User/ID management internal
  • 6. Security Challenges ● Non IT company – Buy vs build (non IT company) – Applications hosted in the cloud ● SaaS for IT companies ● Integrate several IDM systems (B2B customers) ● Access to user information – Network connectivity – Replicating user information ● Reduce Security Code in the Application
  • 7. Gaps ● Fine grained authorization (beyond RBAC) in application logic ● Tight coupling to custom security components and protocols (central server, reverse proxy, proxy agent) ● Tight coupling to single user domain ● Lack of agility and risk due to managing B2B users internally ● Different authentication mechanism in the application (container) ● Integration with Web Services Stack ● Mock testing
  • 8. How to address that? ● Indirect Trust Relationship to Security Server ● Push user data to the application instead of pulling it ● Externalize Authentication to a Central server ● Lightweight Open Source component ● Industry standard based solution
  • 9. WS-Federation ● OASIS Standard 2009 ● Security Token agnostic (SAML 1.1/2.0, …) ● Extends WS-Trust ● Browser and Web Services SSO ● PRP adapts Browser to WS-Trust ● No connectivity between Application and IDP required (Cloud) ● Claims/Attribute Based Access Control ● Supports several Authentication domains
  • 10. WS-Trust Security Token Service 1. Consumer requests token from STS, presenting credentials (RST = Request Security Token) 2. STS verifies credentials and issues signed token 3. STS sends token back to consumer (RSTR = Request Security Token Response) 4. Consumer encloses token in message to service provider (optionally signing message) 5. Service provider validates token (and signature) 6. Service provider sends response to consumer WS-SecurityPolicy brings flexibility and transparency to service consumer
  • 12. Apache CXF Fediz ● Sub-project of Apache CXF project ● Work started mid of 2011 ● Community growing ● First release in June 2012 ● Current release 1.0.2 ● Finishing work for 1.1
  • 13. Apache CXF Fediz Id e n tity P r o v id e r (ID P ) S e c u r ity T o k e n S e r v ic e (S T S ) W S - F e d e r a tio n F e d iz ID P n tio S e c u r ity T o k e n s t ic a e n W S -T ru s t is s u e d b y S T S en Tok F e d iz S T S u th A  U s e r M a c h in e B ro w s e r R e ly in g P a r ty (R P ) A cc es s  W W e b A p p lic a tio n R eb ec ed A to ir p p ID t lic P at io n F e d iz P lu g in H TTP S S e r v le t C o n ta in e r
  • 14. Apache CXF Fediz 2 ) S ig n In R e q u e s t 3 ) L o g in Id e n tity P r o v id e r W eb U ser ID P / S T S 4 ) P o s t C r e d e n tia ls 5 ) S ig n In R e s p o n s e S A M L to k e n B ro w s e r T r u s t r e la t io n s h ip S ig n e d T o k e n N o C a ll to S T S 7 ) R e s o u r c e , S e t C o o k ie R e ly in g P a r ty 6 ) P o s t S ig n In R e s p o n s e E x . T o m c a t, W e b s p h e re , A S P .N E T , e tc . 1 ) H T T P G E T re s o u rc e R e d ir e c t to I D P
  • 15. Apache CXF STS ● WS-Trust 1.3/1.4 ● SAML token creation ● WS-SecurityPolicy 1.3 customizable ● RST Subject, Audience, authenticationUsername/Kerb AttributeStatements,… eros/SAML token ● Claims support ● Security Bindings: ● Support for realms/security Symmetric, Asymmetric, domains Transport ● Identity Mapping ● Supported bindings ● Claims transformation Issue, validate, cancel, renew ● Advanced RST ● Token provider elementsKeyType, Entropy, SAML 1.1/2.0 (HOK, Bearer), AppliesTo, Custom, SecondaryParameters, … Secure Conversation ● Intermediary ● Token encryption supportOnBehalfOf, ActAs ● Issue/validate supports ● Custom Claims dialects token transformation ● Batch processing (RSTC)
  • 16. Fediz IDP / STS ● Username / password authentication ● User store (File, LDAP, JAAS) – File store – LDAPLoginModule – Other JAAS Login Module ● Claims/Role store (File, LDAP) – LdapClaimsHandler – FileClaimsHandler – custom ● SAML Token creation customizable ● Small footprint (Mock testing) ● Wiki http://cxf.apache.org/fediz-idp.html
  • 17. Fediz Plugin ● WS-Federation 1.0/1.1/1.2 ● SAML 1.1 / 2.0 Tokens ● IDP trust types Chain Trust, Direct Trust ● Core Logic Container independent ● Supports Tomcat 7 ● WS-Federation Metadata publish ● Claims provided in FederationPrincipal ● Wiki http://cxf.apache.org/fediz-idp.html
  • 18. Fediz Plugin Configuration Config element Description Metadata issuer Issuer URL PassiveRequestorEndpoint realm Realm TargetScope authenticationType Authentication Type NA roleURI Claim URI for roles NA roleDelimiter Role Value Delimiter NA claimTypesRequested Requested claims ClaimTypesRequested homeRealm Home Realm NA tokenValidators Security Token Validator NA signingKey Key for Metadata Metadata signature signature
  • 19. Fediz Plugin Extensions (1/2) ● Customize Sign-In Request Configuration SignIn Request Callback object authenticationType wauth WAuthCallback homeRealm whr HomeRealmCallback freshness wfresh FreshnessCallback issuer N.A. IDPCallback ● Customize Security Token Validation
  • 20. Fediz Plugin Extensions (2/2) ● Callback Handler implementation for Home Realm Discovery public class MyCallbackHandler implements CallbackHandler { public void handle(Callback[] callbacks) throws … { for (int i = 0; i < callbacks.length; i++) { if (callbacks[i] instanceof HomeRealmCallback) { HomeRealmCallback callback = (HomeRealmCallback) callbacks[i]; HttpServletRequest request = callback.getRequest(); String homeRealm = ... callback.setHomeRealm(homeRealm); } else { throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback"); } } } } ● Wiki http://cxf.apache.org/fediz-extensions.html
  • 21. Fediz Interoperability Fediz IDP Adnovum IDP Microsoft ADFS Fediz Plugin ASP.NET ● Fediz STS based on Apache CXF STS ● Apache CXF STS integrated into Adnovum IDP
  • 22. Fediz and STS Use cases
  • 23. STS: Use case Web SSO Fediz example “simpleWebapp” https://localhost:8443/fedizhelloworld/secure/fedservlet
  • 24. Standards ● WS-Federation 1.2 ● WS-Trust 1.3 ● SAML 2.0 ● OASIS Identity Metasystem CXF STS capabilities ● RST UsernameKerberos ● SAML 2.0 Bearer ● Claims from LDAP ● Claim data in AttributeStatement Federation plugin ● SAML token validation (WSS4J, OpenSAML) ● Creates security context
  • 25. STS: Use case intermediary Fediz example “wsclientWebapp” https://localhost:8443/fedizhelloworld/secure/service.jsp
  • 26. Standards ● WS-Trust 1.3 ● SAML 2.0 ● WS-SecurityPolicy CXF STS capabilities CXF capabilities ● RST SAML token [4,6] ● Issued token assertion(WS-SecurityPolicy) ● SAML 2.0 Bearer [6] ● SecondaryParameters ● Custom Token [4] ● OnBehalfOf (BinarySecurityToken) ● Token caching ● Token transformation [4,6] ● Identity Mapping[4] ● OnBehalfOf [4,6]
  • 28. More than one Requestor IDP ● WS-Federation defines Requestor and Relying Party IDP ● RP IDP issues SAML token for application in a requestor independent format ● Integrate Requestor IDPs without affecting application ● HomeRealm Discovery ● RP IDP federates Identities or Claims
  • 29. Internal ID management Federate identites R e q u e s to r Id P ● CXF IdentityMapper R e q u e s to r Id P m y c o m p a n y .c o m ● Relationship: FederateIdentity APAC m y c o m p a n y .c o m EM EA R P - Id P H o m e r e a lm d is c o v e r y 3 Id P m y c o m p a n y .c o m 2 B ro w s e r In tr a n e t 1 R e ly in g P a r ty A p p lic a tio n C o n ta in e r Ex. Tom cat
  • 30. Hyprid ID management R e q u e s to r Id P F a b r ik a m .c o m In te r n a l R e q u e s to r Id P m y c o m p a n y .c o m R e q u e s to r Id P APAC B ro w s e r m y c o m p a n y .c o m 3 f a b r ik a m .c o m EM EA R P -Id P 2 H o m e r e a lm d is c o v e r y 3 Id P m y c o m p a n y .c o m 2 B ro w s e r In tr a n e t 1 1 R e ly in g P a r ty A p p lic a tio n C o n ta in e r Ex. Tom cat Federate identities ● CXF IdentityMapper ● Relationship: FederateIdentity
  • 31. External requestor IDPs (SaaS) R e q u e s to r Id P F a b r ik a m .c o m In te r n a l R e q u e s to r Id P m y c o m p a n y .c o m R e q u e s to r Id P APAC B ro w s e r m y c o m p a n y .c o m 3 f a b r ik a m .c o m EM EA R P -Id P 2 H o m e r e a lm d is c o v e r y 3 Id P m y c o m p a n y .c o m 2 B ro w s e r In tr a n e t 1 2 B ro w s e r a d a ta m .c o m 1 R e ly in g P a r ty 1 A p p lic a tio n 3 C o n ta in e r Ex. Tom cat R e q u e s to r Id P Federate claims/attributes a d a ta m .c o m ● CXF ClaimsMapper E x te rn a l ● Relationship: FederateClaims
  • 32. Fediz Roadmap ● WS-Federation support for RP-IDP (1.1) ● HomeRealm Discovery (1.1) ● SAML Profile (1.1+) ● Support encrypted SAML tokens (1.1) ● SAML Holder-Of-Key (1.1) ● Fediz Plugin support – Karaf (1.1) – Jetty (1.1) – Spring Security (1.1)
  • 33. More information ● Fediz website http://cxf.apache.org/fediz.html ● Blogs http://coheigea.blogspot.com http://www.dankulp.com/blog/ http://sberyozkin.blogspot.com http://owulff.blogspot.com
  • 34. Content Slides ● Level 1 – Level 2 ● Level 3 – Level 4 ● Level 5
  • 35. Standards ● WS-Trust 1.3 ● SAML 2.0 Id e n tity P r o v id e r ● WS-SecurityPolicy < < S o la r is > > Id e n tit y S to r e Id e n tity S to r e < < W in d o w s > > < < M a in f r a m e > > ID P < < N e v is > > CXF STS capabilities 2 .1 LDAP RACF STS 2 .2 RST SAML token [4,6] <<CXF>> ● ● SAML 2.0 Bearer [6] 4 .1 ● Custom Token [4] (BinarySecurityToken) B u s in e s s S e r v ic e 2 < < T o m c a t> > ● Token transformation [4,6] 4 / 6 Identity Mapping[4] A p p lic a t io n ● J A X -R P C ● OnBehalfOf [4,6] Not CXF W e b A p p lic a tio n < < T o m c a t> > T ) ( BS CXF capabilities B ro w s e r 5 3 A p p lic a tio n ● Issued token assertion(WS- 1 J A X -W S B u s in e s s S e r v ic e SecurityPolicy) F e d e r a t io n _ _ CXF < < O S G i K a ra f> > ● SecondaryParameters 7 (S T ) A p p lic a t io n ● OnBehalfOf J A X -W S ● Token caching CXF